HAProxy + ISPconfig = Not Forwarding Client Real IP

Discussion in 'ISPConfig 3 Priority Support' started by JohnnyBeGood, Jun 12, 2024.

  1. JohnnyBeGood

    JohnnyBeGood Member

    Hello,

    I downloaded Debian-12-Perfect-Server-Apache.ova from this howto: https://www.howtoforge.com/perfect-...ot-ispconfig-3-2/#-install-pureftpd-and-quota and set up my first domain.

    Now, where remote IPs should be shown (e.g., in access logs or any script that should show remote IP), I get the HAProxy IP instead, which in my case is 192.168.5.1. I've found a few old posts discussing the use of mod_remoteip with Apache but couldn't find any instructions on how to make it work.


    Example:
    /var/www/clients/client1/web1/log/access.log

    Code:
    192.168.5.1 - - [11/Jun/2024:20:17:38 -0700] "GET / HTTP/1.1" 200 26303 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Mobile Safari/537.36"
    
    I would be really thankful for any help.

    Thank you!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you install mod_remoteip already and how did you configure it?
     
  3. JohnnyBeGood

    JohnnyBeGood Member

    Thanks for taking time to reply!

    I enabled it with this:

    Code:
    root@debian:~# a2enmod remoteip
    Enabling module remoteip.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    root@debian:~# systemctl restart apache2
    root@debian:~#
    
    but I couldn't find any related info what else to do...

    Can you please advise?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely, this:

    You'll have to ensure that your HAProxy adds the right header, this is done with this config option:

    Code:
    option forwardfor
    In /etc/apache2/conf-available/remoteip.conf or /etc/apache2/apache2.conf, you add:

    Code:
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 127.0.0.1 ::1 # Replace with the IP address of your HAProxy server
    Restart Apache and check if it works now. If not, then you'll most likely have to change the LogFormat line in /etc/apache2/sites-available/ispconfig.conf file to:

    Code:
    LogFormat "%v %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
    and restart Apache and test it. If it works now, then you'll must make the change update safe by copying the file /usr/local/ispconfig/conf/apache_ispconfig.conf.master to /usr/local/ispconfig/conf-custom/apache_ispconfig.conf.master and change the LogFormat line there too.
     
  5. JohnnyBeGood

    JohnnyBeGood Member

    Ok, so there's no file in /etc/apache2/conf-available/remoteip.conf. Should I create remoteip.conf ? Or maybe is located somewhere else on Debian 12.

    I entered:
    Code:
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 192.168.5.1 # IP address of my HAProxy server
    in /etc/apache2/apache2.conf
    and got this after restart of apache:

    Code:
    root@debian:~# systemctl restart apache2
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xeu apache2.service" for details.
    root@debian:~# systemctl status apache2.service
    × apache2.service - The Apache HTTP Server
         Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
         Active: failed (Result: exit-code) since Wed 2024-06-12 11:03:25 PDT; 17s ago
       Duration: 10min 59.966s
           Docs: https://httpd.apache.org/docs/2.4/
        Process: 234383 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
            CPU: 49ms
    
    Jun 12 11:03:25 debian.example.com systemd[1]: Starting apache2.service - The Apache HTTP Server...
    Jun 12 11:03:25 debian.example.com apachectl[234387]: AH00548: NameVirtualHost has no effect and will be removed i>
    Jun 12 11:03:25 debian.example.com apachectl[234387]: AH00526: Syntax error on line 229 of /etc/apache2/apache2.co>
    Jun 12 11:03:25 debian.example.com apachectl[234387]: RemoteIP: Error parsing IP # (Name or service not known erro>
    Jun 12 11:03:25 debian.example.com apachectl[234383]: Action 'start' failed.
    Jun 12 11:03:25 debian.example.com apachectl[234383]: The Apache error log may have more information.
    Jun 12 11:03:25 debian.example.com systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAIL>
    Jun 12 11:03:25 debian.example.com systemd[1]: apache2.service: Failed with result 'exit-code'.
    Jun 12 11:03:25 debian.example.com systemd[1]: Failed to start apache2.service - The Apache HTTP Server.
    lines 1-17/17 (END)
    Line 229 has my HAProxy server IP
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Remove the comment, so the line is:

    RemoteIPTrustedProxy 192.168.5.1
     
  7. JohnnyBeGood

    JohnnyBeGood Member

    Wow, didn't know that "#" has impact where it's placed. Now apache restarts!

    Unfortunately, even after replacing:
    Code:
    LogFormat "%v %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
    
    in /etc/apache2/apache2.conf

    the log still shows 192.168.5.1 and not remote IPs. Any other suggestion?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Which exact log file do you check? The log format is for the ISPConfig apache log of the sites, not the global Apache logs.
     
  9. JohnnyBeGood

    JohnnyBeGood Member

    I'm checking /var/www/clients/client1/web1/log/access.log which is ISPConfig apache log of the site, correct?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that's ok. Did you restart Apache (not just reload it)?
     
  11. JohnnyBeGood

    JohnnyBeGood Member

    Yes, restarted Apache with systemctl restart apache2 and rebooted server couple of times just in case.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I do not use HAproxy, so I can't give you more info about that. Maybe someone else here uses it and can help you out.
     
  13. JohnnyBeGood

    JohnnyBeGood Member

    Thanks for your help!
    Hopefully someone will chime in. Hard to believe I'm the only only one using it with HAProxy :)
     
  14. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i've not used HAProxy for a long time now.. but unless they've changed it, just setting 'option forwardfor' is all you need there.

    i've seen various articles saying it should be set in the frontend, others saying in the backend, and one even saying it can be set in any of frontend, defaults, listen or backend section.
    i think, from memory (which isn't great), that i used to set it in the backend section.
    so play around with where it's configured, or even add it to all sections.. and see if it works then.

    if there's any other device between haproxy and the backend server that might alter headers than that could be removing it.

    otherwise, in apache, is mod_remoteip actually installed/active?
    in the log format, mod_remoteip fills in %a and removes it from %{X-Forwarded-For}i so you could try using %{X-Forwarded-For}i instead, see if that works without mod_remoteip
     

Share This Page